Why are you so scared of the GDPR?

Bhavisha Mistry senses the panic in the air as the General Data Protection Regulation’s 25 May deadline draws ever closer. But she’s not sure what all the worry is about.

I’ll say it: I don’t get why people are so scared and negative about the GDPR.

The GDPR is a good thing. We are all ‘persons’ within the definition of personal data. Surely, we care about how our data is processed? If this is the case, then the GDPR can only be seen as positive. It clears up the grey areas and gives organisations the financial incentive to implement it. And it’s not even a complete overhaul of the existing position, so why are we so frightened?

The GDPR fills the gaps that have so far had to be dealt with by case law. Yes, it also adds a portability and erasure right, not to mention potentially huge fines, but these things will be exercised in very prescribed circumstances, something a lot of commentators, GDPR consultants and the like fail to acknowledge.

So let’s break it down. Essentially, when processing personal data you must comply with four things:

The six principles

The data subject’s rights

Adequacy for transfers outside the European Economic Area (EEA)

Keeping records.

The six principles

Make sure you notify the individual that you’re processing their data and have a legal basis for processing, eg consent, legitimate interests, contract etc

Make sure you have a clear reason or purpose for processing and don’t steer away from it

Don’t take more details than is necessary for your purpose

Keep data accurate at all times

Don’t keep data for longer than you need

Make sure that the data is safe.

The data subject’s rights

There’s been much scaremongering around the individual’s rights. You may have heard the following from panicked colleagues: ‘We’ll have to delete every speck of information on every server in every continent around the world.’ ‘We’re going to have to transfer online identifiers and the like to everyone.’ I may be exaggerating a little, but you get the idea.

However, those rights are only exercisable in certain defined circumstances.

For example, the right to portability doesn’t apply to data processed on the basis of legitimate interests and similarly, for the same legal basis, there is no right to erasure if there is an overriding legitimate interest to justify continued processing. If you familiarise yourself with these rights, you’ll realise they’re not all that scary and, most importantly, you’ll find one that suits you.

There are also technical measures you can take to avoid having to scour every single data set you have, so wise up and figure out what works best for you.

Adequacy for transfers outside the EEA

As is the case now, you need to ensure data is adequately protected if transferred outside the EEA, so check adequacy lists and get model clauses in place, or whatever other method you prefer to use. Nothing new here.

Keeping records

This is just common sense – how else will you be able to show you have complied?

The final word

Now you’ve got the basics, it’s plain sailing from here. The Information Commissioner’s Office has some really helpful guidance – I’d use this over the Powerpoint slides of the aforementioned expert GDPR consultants!

If there’s one final message, it’s this: prior to its adoption, the GDPR had been in consultation stage for many years. Every problem, issue and concern has been carefully scrutinised by the legislators, so you can rest assured that the outcome you find within the regulation is the best one.

Bhavisha Mistry is general counsel and company secretary at Missguided and In-house Division committee vice-chair.

Related articles

Most of us will have done it at some point - talking ourselves out of applying for a job because we think we’re underqualfiied, or just not up to it. Charlotte Lakin explains how she overcame those voices of self-doubt to ultimately propel her into an in-house role.

More April 2018

Chloe Birchall, a trainee solicitor at BT, was involved in setting up its pro bono programme. She looks at the benefits of an in-house pro bono programme, and offers some tips for anyone thinking of setting one up.

Sophie Gould announces the findings of new research by LexisNexis and the Judge Business School on the relationship between in-house legal teams and large law firms, and the practical lessons to take away.

Managing a team of in-house lawyers presents all kinds of nuanced challenges. Amanda Gill, director at Deutsche Bank, provides five tips that any manager, from the novice to the seasoned veteran, should follow.

The Law Society represents solicitors in England and Wales. From negotiating with and lobbying the profession’s regulators, government and others, to offering training and advice, we’re here to help, protect and promote solicitors across England and Wales.